Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Filter event data using conditional regex

anshul0915
Explorer
‎09-22-2017 09:56 PM

HI All,

Below is my raw event data .
{"FormatVersion":"1.1","StartTime":"2017-09-22T01:11:38.565Z","EndTime":"2017-09-22T01:11:39.468Z","EventType":"Login","Result":"Success","UserId":"dmorand","TerminalId":"172.16.3.85","SessionId":"RCIcAM1DxUYmG7WMDMkEuQXyGTpOqcBMtyrGOPpFUPU=","LoginUri":"/login-auth/saml","EventSource":"Platform","ServerHostname":"fe02.hbc.stage.us-west-2.orionsaas"}

I want event indexing like below condition.
1. IF "EventType":"Login" and "LoginUri":"/login-auth/saml" the index those event. means we need to discard those event in which event type = login and login uri != /login-auth/saml
2. if "EventType":"Login" and "LoginUri" is not present then index those event
3. If in logs event type not equal to login then index those events also

please help for making this regex .

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎09-24-2017 09:54 AM

Props.conf

 [sourcetypeName]
 KV_MODE=json
 INDEXED_EXTRACTIONS=true
 TRANSFORMS-toNull=toNull

Transforms.conf

 [toNull]
 REGEX= .*^((?!EventType":"Login".*LoginUri":"\/login-auth\/saml).*)
 DEST_KEY=queue
 FORMAT=nullQueue

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎09-24-2017 09:54 AM

Props.conf

 [sourcetypeName]
 KV_MODE=json
 INDEXED_EXTRACTIONS=true
 TRANSFORMS-toNull=toNull

Transforms.conf

 [toNull]
 REGEX= .*^((?!EventType":"Login".*LoginUri":"\/login-auth\/saml).*)
 DEST_KEY=queue
 FORMAT=nullQueue
0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎09-24-2017 10:09 AM

Needs to be on the forwarder(s) and indexer(s). Will only apply to new data that is indexed after the settings are in placeZ

0 Karma
Reply
Solved! Jump to solution

anshul0915
Explorer
‎09-24-2017 10:41 AM

Why on both places configuration required . On only indexer will it not work??

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎09-25-2017 11:26 AM

INDEXED_EXTRACTIONS has to be on the forwarder. The queue routing happens on first full Splunk instance (heavy forwarder or indexer).

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎09-24-2017 05:04 AM

what does the last point 'if "EventType":"Login" not equals to Login index those event' mean?

0 Karma
Reply
Solved! Jump to solution

anshul0915
Explorer
‎09-24-2017 05:10 AM

If in logs event type not equal to login then index those events also

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎09-24-2017 08:20 AM

one last question - do you want to extract them in the conf files before getting indexed or you want to write a post search regex to extract ONLY these events using regex for this particular use case?

0 Karma
Reply
Solved! Jump to solution

anshul0915
Explorer
‎09-24-2017 08:44 AM

Want in conf file before getting indexed

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...